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Abstract 



We present an algorithm for computing the set of torsion points satis- 
fying a given system of multivariate polynomial equations. Its comple- 
xity is quasilinear in the logarithm of the degree of the input equations 
and exponential in their number of non zero terms and variables. 
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1 Introduction and statement of results 

Let Fi, . . . ,Fk G . . . , Xn] be a family of multivariate polynomials. We 

consider the problem of computing the solutions of the system of equations 

Fi(Xi, . . . , X„) = ■ ■ ■ = F,(Xi, . . . , X„) = (1) 

in roots of unity. This problem arises naturally when solving trigonometric 
equations and also when solving some geometric problems, see for instance 
pm\ . [PR98] . 

For n = 1, this is equivalent to the problem of finding the common cyclo- 
tomic factors of Fi, . . . , F^. Based on a result of J.H. Conway and A.J. Jones 
|CJ76| . M. Filaseta, A. Granville and A. Schinzel have recently described an 
algorithm in |FGS08| . that solves this problem with a complexity quasilinear 



in the logarithm of the degree of the input polynomials. 
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For n >2, the system ([T]) can have an infinite number of solutions in roots 
of unity but a structure theorem of M. Laurent |Lau84| implies that this set 
can in principle be described in finite terms (see below for more details). 
In this text, we first simplify the algorithm of |FGS08| and we precise its 
complexity (see Algorithm 1 in Section 2), then we extend it to the general 
multivariate case (see Algorithm 2 in Section 3). The complexity of this 
algorithm is again quasilinear in the logarithm of the degree of the input 
polynomials, although exponential in their number of variables and their 
number of non zero terms. Hence our algorithm can be regard as an effective 
version of Laurent's Theorem which is particulary well suited for lacunary 
polynomials, that is polynomials having a small number of non zero terms 
but potentially large degree. 

In the following, we fix n G N*. We begin by recalling some basic facts 
on Diophantine geometry of subvarieties of the algebraic torus := (Q 
All definitions and results stated here can also be found in |S96| or in |Z09| 



and we refer to these texts for the proofs and for more details. The set 
is a group for the usual multiplication: 

(Xl, . . . , Xn) ■ (l/l, ...,yn) = (Xiyi, . . . , XnVn)- 

An algebraic subgroup H C is a subgroup of which is an algebraic 
variety, i.e. it is Zariski closed. A point of finite order in the group will 
be called a torsion point. The set of torsion points in is exactly fj,^, 
where /Xoo denotes the set of roots of unity in Q. A torsion coset is a coset 
of the form 

r]H := [rj ■ h\ he H] , 

where H is an algebraic subgroup and rj G fi^o- ^or V a subvariety of G^, 
we set 

for the set of torsion points lying in V. A celebrated theorem of Lau- 
rent |Lau84| asserts that the Zariski closure V^ors of V^ors is the union of 
a finite number of torsion cosets: 



Kors = BiU---UBt. (2) 
This result was previously conjectured by S. Lang |Lan83| . It was proved by 



Y. Ihara, J. P. Serre and J. Tate when is a curve |Lan83| and by Laurent 
in the general case. 
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For X = (xi, . . . , Xn) G and A = (Ai, . . . , A„) G Z", we set: 

X != • • • G 'I^'m* 

If A is a subgroup of of dimension /c, then the set 

Ha := {x G I x^= 1, V A G A} 

is an algebraic subgroup of of dimension n — k. Furthermore the map 
A I— > Ha is a bijection between the set of subgroups of Z"^ and the set of 
algebraic subgroups of |S96l Lemma 2]. 

Let Mfc ,^(Z) be the set of matrices with k rows and n columns with integer 
coefficients. When L = {Xij) i<i<k G Mfc^„(Z), where x = {xi, . . . , x„) G G^ 

we define: 

x^:= (x^^...,x^O GG^, 

where Ai, . . . , Afc are the rows of the matrix L. Now let A be a subgroup of 
Z" of dimension k, let Ai, . . . , A^ be a Z— basis of A and let L be the matrix 
of size k X n whose rows consist of the vectors Ai , . . . , A^ . Let also u G /i^ , 
then the set: 

B{L, := {x G G;; I = u] (3) 

is a torsion coset and, in fact, all torsion cosets can be described in this way. 
Our algorithm takes as input a finite number of polynomials and outputs a 
finite number of torsion cosets whose union is Vtors as in ([2]). Furthermore 
each torsion coset of dimension n — r will be represented by a pair (L, u) G 
Mfc^„(Z) X /i^ as in (l3|). We remark that it is easy to describe all the torsion 
points lying in such a coset since 

S(i:,^)tors:= {CG/i^ |C'' = ^}- 
Let us now describe the input of the algorithm. Let 

N 
i=l 

be a polynomial in n variables with integer coefficients. The lacunary enco- 
ding of F is the list 

[(ai,ai), . . . , (aAr,ajv)] 
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of its non zero coefficients with corresponding exponents and its height is 
defined by: 

HF) ■■= ^max{log|ai|}. 

If F is of total degree d and of height h, the number of bits to encode this 
representation is 

0{N{h + n\og{d))). 

When d G N, we set M{d) for the complexity of multiplying two integers 
smaller than d. We can now state our main result. 



Theorem 1.1 There exists a deterministic algorithm which has the follow- 
ing propriety. Let Fi, . . . ,Fk G . . . , Xn] be polynomials given by their 
lacunary encoding and let V be the variety defined by those polynomials. The 
algorithm computes a family of torsion cosets Bi, . . . ,Bt such that 

l<i<t 

where the torsion cosets are represented as in (Q. Furthermore, this algo- 
rithm performs at most 

O [N^'^^^M^d) loglog((i) + h)) 

bit operations, where N denotes the maximum number of non zero terms in 
each Fi, d denotes an upper bound for their total degree and h = max (h(Fj)). 

l<i<k 

Remark: We have 

M{d) = O (log(c/) loglog(rf) logloglog(rf)) 

because of the algorithm of A. Schonnhage and V. Strassen ( |GG03| ) and so 
the complexity of the algorithm underlying Theorem 11.11 is 

0,{N''^^{log{dY+' + h)) Ve>0. 



Some related problems have been studied in the univariate case. Let 
F G given by its lacunary encoding, and let m be a non-negative 

integer. The problem of testing whether F vanishes at a root of unity of 
order m is called the cyclotomic test (CT). In |CTVn9| . Q. Cheng, S. P. 
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Tarasov and M. N. Vyalyi have shown that this problem can be solved in 
time polynomial in the size of the input, that is CTgP. 

The generalized cyclotomic test (GCT) consists in determining if F va- 
nishes in some root of unity at all, that is if there exists some m G N such 
that (F, m) is a positive instance of CT. The fact that CTeP implies that 
GCTgNP. On the other hand, Plaisted has previously shown that this pro- 
blem is NP-hard [FM Thm 5.1] and so GCT is NP-complete. 

Filaseta and Schinzel proposed a subexponential algorithm for solving 
GCT |FS04| . In collaboration with Granville, they extend this algorithm to 
compute all of the cyclotomic factors of F |FGS08| . In this text, we simplify 
this last algorithm and we clarify the dependance of its complexity in the 
number N of terms, which turns out to be exponential. We also improve 
the practical implementation and time execution of this algorithm. The 
exponential behavior of the complexity with respect to N seems unavoidable 
and indeed, we think that the size of the output is exponential in the size of 
the input in the worst case. In Section 2, we exhibit a family of examples 
which support this conjecture. 

For n > 2, the only previoius constructive methods are described in 
|Ru93| . |BSn2j . [ASnSj . |Ron7j . Their complexity is not explicited in these 
references but it is certainly at least of type (f"h, where n denotes their 
number of variables, d denotes a bound for the degree of the input poly- 
nomials, and h denotes a bound for their height, because of the systematic 
application of iterated resultants. Thus these methods are better suited for 
dense polynomials of small degree and having a small number of variables. 
On the contrary, our result is particulary efficient for polynomials with few 
terms but potentially very high degree (10^°° for example), see for instances 
the examples in Subsection 12.31 

We deduce from the analysis of the algorithm underlying Theorem 11.11 
the following upper bound for the number of torsion cosets in a subvariety 

Corollary 1.2 Let Fi, . . . , G . . . , X^] be polynomials, each having 

at most N non zero terms and let V be the subvariety of defined by those 
polynomials. Then Vtors is the union of at most 




torsion cosets. 
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Historically, the first eff'ective upper bound for the number of maximal 
torsion cosets has been obtained by E. Bombieri and U. Zannier in |BZ95| . 
Shortly afterwards, W. Schmidt found an upper bound depending only on 
the number of variables and on the degree of the input polynomials |S96| . 
The main interest of the bound in Corollary 11.21 is that it is independant 
of the degree of the polynomials defining V. However, we mention that a 
similar bound might be alternatively obtained with the methods in |S96| . 

It is worth noting that for the number of connected (or irreducible) torsion 
cosets, the dependance on the degree is unavoidable. Currently, the best 
bound is due to F. Beukers and C.J. Smyth |BS02| when n = 2 and to F. 
Amoroso and E. Viada in the general case |AV09| . The result of Amoroso and 



Viada says that the number of connected torsion cosets in a variety defined 
by polynomials of degree at most d is bounded by 



n2(n-l)2 



Other results in this direction were obtained by G. Remond in |Re02j . Amo- 



roso and S. David in |AD06| and David and P. Philippon in |DP07j . 

The outline of the paper is as follows. In Section 2, we present our 
simplification of the algorithm of Filaseta, Granville and Schinzel. In Section 
3, we generalize it for a multivariate polynomial and we will finally explain 
in Section [4] how we can adapt it for general varieties. 

Acknowledgements: I would like to thank Francesco Amoroso and Martin 
Sombra for their precious help and many suggestions. I also express my 
gratitude to Denis Simon who suggested me the example in Section | 



2 Cyclotomic factors of univariate polynomials 

Let F{X) G Z[X] be a polynomial of degree d. Since F has integer coef- 
ficients, computing the set of ( & n^o such that F{Q = is equivalent to 
computing the set of integers m for which 

$„(X)|F(X), 

where $rrt denotes the mth cyclotomic polynomial. We want to compute this 
set in time polynomial in \og{d). However, the total number of cyclotomic 
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factors of F in the worst case is not polynomial in \og{d), as shown by the 
following example: let x be an integer greater than 17 and let 

F{X) = X'^ - 1, 

where d is the product pi- ■ - pr of all prime numbers smaller than x. An 
effective version of Tchebychev's Theorem |RS62| gives the inequalities: 

tt{x) > 7—— and ^^logp < 1.02 x for x > 17, 
logx 

where 7i{x) := prime \ p < x}. From these, we deduce: 

X 

r>- and d < exp(1.02 x). 

logx 

Furthermore, 

F{X) = Y[ <I>„(X) and #{m G N : m\d} = 2" > 2^, 

m\d 

so the number of cyclotomic factors of F is not polynomial in the logarithm 
of its degree. 

Even in the case when the number of factors is small, separating them is 
as difficult as factorizing integers. To illustrate this problem, let us consider 

F{X) := XP'^ - 1, 

where p and q are distinct prime numbers. We have 

Fix) = ^,iX)%iX)^,iX)%,iX) 

so we want the algorithm to output the set {l,p,q,pq}. Doing this is equi- 
valent to factor pq but this problem is known to be hard and, at the moment, 
no algorithm can factor pq in polynomial time in log(pg). 

To avoid these problems, we will represent the output of our algorithm 
differently. It will be given as a set Sp of pairs of integers (m, e) such that 

V{F)tors = U Vi^UX')), 

where V{F) := {x G Q : F{x) = 0}. Given this representation, we are 
reduced to integer factorizations to obtain the complete list of cyclotomic 
factors of F with the following lemma: 
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Lemma 2.1 Let m, e G N*. We set Ci := JJp°'''^f('') and 62 := e/d. Then 

p\m 

d\e2 

Proof: To prove the first equality, it suffices to remark that the roots of 
^meii^^^) are also roots of ^mi^'^)- Since those polynomials are square- 
free, have the same degree and leading coefficient 1, we conclude that they 
coincide. A similar argument shows that ^m{X'^) divides the polynomial 
Y[d\e2^^<^id{^)- Moreover, these polynomials have leading coefficient 1 and 
same degree. Indeeed 

d\e2 

where ip denotes the Euler totient function. Finally these three polynomials 
are equal. □ 

In the rest of this section, we establish the following result: 

Theorem 2.2 There exists a deterministic algorithm which has the follow- 
ing propriety: for F E given by its lacunary encoding, the algorithm 
determines a set: 

Sp := {(mi,ei), . . . , {mt,et)} 
of couples of integers such that 

t 

1=1 

Furthermore, this algorithm requires 

O {N^{M{d) loglog(rf) + 

bit operations, where d denotes the degree of F, h its height and N its number 
of non zero terms. 

The algorithm underlying Theorem 12.21 is Algorithm 1 in Subsection 2.2. 
This result is essentially |FGS08l Thm C] but we give a much simpler proof 
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which allows us to explicit the dependence of the complexity on the number of 
non zero terms N and to speed up its practical execution. More importantly, 
this proof extends to the multivariate case, as we will see in the next sec- 
tion. We first give a few preliminary results before proving Theorem 12.21 and 
finally we will construct a family of polynomials having many «separated» 
cyclotomic factors in Subsection 2.3. 

2.1 Preliminary results 

We first recall the cost of standard arithmetic in Z: 

The product of two integers of bit length bounded by log{d) can be com- 
puted in 

M{d) = 0(log((i)loglog(rf)logloglog((i)) = 0,((log(d))i+") Ve > 

bit operations with the algorithm of Schonhage-Strassen |SS71| . 

The gcd of two integers of bit length bounded by log(c?) can be computed 

in 

0(log((i)(loglog((i))2logloglog(d)) = 0,((log(rf))i+^) ye > 

bit operations with the algorithm of Knuth-Schonhage |K70| . We refer to 
|GG03| for the description and analysis of those algorithms. 

If C £ /^Sdi denote by ord(C) the order of ( in the group /i^, which 
equals the less common multiple of the order of its coordinates. For m eN* , 
we also define: 

^(m) :=2 + 5^(p-2), 

p\m 

where p runs over the prime numbers dividing m. The main ingredient of 
the proof of Theorem 12.21 is the following result due to Conway and Jones 

Theorem 2.3 (Conway-Jones 1976) Let (m be a root of unity of order m. 
Let also ai, . . . , a^-, di, • • • , Un be integers and S := ai(^ + ■ ■ ■ + a^Cm'^ ■ If 

1. 5 = 0, 

2. no proper suhsum of S vanishes, 

3. gcd(Q;2 — Oat — «!, m) = 1, 
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then m is squarefree and \l/(m) < A^. 

We say that a vanishing sum of roots of unity is minimal if the condition [2] 
is satisfied. Condition [3] is equivalent to 

ord(C-"S...,C™)=m. 

We also need the following lemma: 

Lemma 2.4 Let mi, . . . , G N*, then 

s 

vE^ (mi ■ ■ ■ rus) < ^ "^{mi) - 2(s - 1). 
1=1 

Proof: We have that 
^(mi---mj=2+ ^ (p-2) 

p\mi--ms 

s s 

<2 + 5^5^(p-2)<5^vI/K)-2(s-l) □ 

i=l p\mi i=l 

We also need some upper bounds for the cardinality of certain sets to 
compute a bound for the complexity of Algorithm 1: 

Lemma 2.5 Let N eN* and be the set of partitions of {1, ... , N} which 
only contain subsets with at least two elements. Then: 

i^EN < N\ 

Proof: Let a be an element of ©at, the group of permutations of the set 
{1, . . . , A^}. Let cr = cio - ■ -ocs be its decomposition into disjoint cycles, then 
we associate to a the partition { Ji, . . . , J^} of the set {1, . . . , A^} such that 
Jj is the support of Cj for all 1 < j < s. Since this application is a surjection 
between (5 a? and the set of partitions of the set {1, . . . , A^} and since E is 
strictly included in this set, we have #-EAf < A^!. □ 

Remark: We can improve this estimate to ^-Eat < — by considering the 
subset of ©AT consisting of the permutations without fixed points, whose 
image also contains E^. 
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Lemma 2.6 Let N,n eN. We set 

Qn '■= {ttT' G N : \&(m) < N and m is squarefree} 



and 
Then 

and 



Qn,N ■= {ci^ e /i^ : ord(u;) G Qn} ■ 

i^QN < exp (sViVlogiv) 
#Qn,7v < exp (3(n + l)^N\ogN'^ . 



Proof: We first prove the first inequality. Let m E Qn and let m = Y[i=iPi 
its factorization into primes. Since \l/(m) < iV, we have 

r 

^Pi <N + 2{r- 1). 

i=l 

Furthermore, 

r r r—l 

N-2> Y^ip, - 2) > Y^ip, - 2) > 5^(2z - 1) = (r - 1)^ 

i=l i=2 i=l 



So, r < y/N -2 + 1 and 

r 

<N + 2VN-2. (4) 

Let us now obtain a better upper bound for r. By direct computation, we 
obtain that 

nr 

r<^\-, TT forAr< 10 000. 

- \l\ogN 

We assume now that N > 10 000. An effective version of Tchebychev's 
Theorem (see |RS62| ) gives the inequalities: 

2 

7r(x) < 1.26 — ^ and > — for x > 347. (5) 

^ ^ - logx ^ - 2 log a; " ^ ' 
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Then for x := 1.15 y/T^TJogW, we have x > 347 and thus: 

l.lS^A^logA^ r- 

> P > : , ^ > N + 2VN - 2. (6) 

21og(1.15v/Arb^) - ^ 

The last inequality comes from a simple study of function. Combining the 

r 

two inequalities ([4]) and ([6]), we obtain > ^^Pi and then: 

p<x 1=1 

r < 7r(1.15 ^NlogN) < 1.26 -^^^^^^^=- according to (E]), 

log(1.15 ^yN log A/) 

and finally 



log(ViV) - V / s 



So each integer in the set Qn has at most 3^^/N/\ogN prime factors which 
are all smaller than N. It follows that 

#Q7V < V^/^-sN ^ (^3^iviogiv) . 

Now we prove the second inequality. Let u G Qn,N of order m E Qn- We 
have established that m < exp (Sy/N log A^) . Moreover, a; can be represented 
by the (n + 1)— uplet : 

{di, . . .,dn,m), 
where the integers di are between and m — 1 so that: 

— (Cm ; • • • ; Cm ) ' 

where Cm = exp (^). Since there is at most exp (3(n + l)y/N log A^) such 
+ 1)— uplets, the result follows. □ 

2.2 Proof of Theorem [2721 

In the following, let 

TV 



i=l 
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and Cm be a root of unity of order m such that 

F{Cm) = 0. (7) 

We will determine equivalent conditions to the equation ((71) that we could 
test algorithmically. Let { Ji, . . . , J^} be a partition of the set {1, . . . , N} 
such that 

$^a,C=0 Wl<j<s 
and such that every such sum is minimal. For 1 < J < s, let 

such that F{X) = Fj{X). We also define for 1 < j < s, integers e-,, bj 
and polynomials Gj such that 

F,{X)=X'^G,{X^^), (8) 

where Gj{0) ^ and such that the exponents of the monomials appearing 
in Gj are coprime. We finally set: 

m 

m 



"J 



cd(m, Cj) 



If Crrij denotes a root of unity of order m^, the equation ([7]) is then equivalent 
to: 



GilCmJ = and = — . V 1 < j < s. (9) 

^ gcd(m, Cj) 

Furthermore, by construction, the sums G'j(Cmj) satisfy the conditions of 
Theorem 12.31 so we have 



^(m^) <Xj V 1 < j < s, 
where Nj := and rrij is squarefree. 

We set e := gcd(ei, . . . , e<i) and, for 1 < j < s, we also set := Cj/e. Finally 
we set 

, m 

m 



cd(m, e) 
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and we observe that 



m m 

V 1 < J < s. 



gcd(m, Cj) gcd(m', e'j 
The condition ([9]) is then equivalent to: 



m' 



G,(C™J = Oandm, = — — ^— V 1 < j < s. (10) 
^ gcd(m',e^) 

Moreover, since m'|lcm(mi, . . . ,ms), we have: 

\I/(m') < \E'(lcm(mi, . . . , nis)) 

< \[^(mi ■ ■ ■ nis)) 

s 

< "^{rrij) — 2(s — 1) according to Lemma [231 

s 

<^iV,-2(.-l) 

< A^-2(s-l) 

and m' is squarefree since it divides the squarefree number lcm(mi, . . . , nis)- 
We also remark that after a partition of {1, . . . ,N} and an integer m' are 
fixed, the condition (fTOll can be tested since the polynimials Gj and the 
integers rrij^e'^ only depend on the partition and on m! . The algorithm will 
test the condition (fTOl) for all possible choices of partitions and for all possible 
choices of integers m' . We can do this as follows: 

Algorithm 1 

Input: A polynomial F{X) = J2iLi given by its lacunary encoding. 

Output: The set Sp of Theorem I2.2[ 

1. Sp^dl. 

2. For each partition { Ji, . . . , Jg} of {1, ... , A^} such that # J, > 2, for all 
1 < J < s do: 

(a) For all 1 < J < s, compute the polynomials Gj and the integers 
Cj associated to the set Jj, as in ([8]). 
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(b) Compute e := gcd(ei, . . . , e^) and for 1 < j < s, compute e'j : = 
ej/e. 

(c) For each squarefree integer m' satisfying ^(m') < N — 2{s — 1) 
do: 

m' 

1. For 1 < J < s, compute m, := — --. 

gcd(m', ej) 

u. If ^m,{X)\Gj{X) for all 1 < j < s, then do 
Sf ^ 5fU {(m',e)}. 

3. Output Sf and terminate. 

According to the discussion above, this algorithm correctly outputs the 
set Sp of Theorem I2.2[ We will only explain how we can compute the set Qn 
of integers considered in step (2.c) and how we can check the divisibility rela- 
tions in step (2.c.ii). Let us recall that the set Qn was defined in Lemma [2?6l 
by 

Qn = G N I m is squarefree and \I^(m) < A^}. 

We begin by constructing the set P/v = {Pi, ■ ■ ■ ,Pt} of prime numbers less 
than N, which can be done with the Eratosthenes sieve in O(A^^logA^) bit 
operations. Then we compute the subsets {gi, . . . , g^} of P/v for which 

r 

2 + 5^(g,-2)<7V. (11) 

i=l 

Checking the inequality (fTTl) requires to sum up at most N integers of bit 
length less than logA^ which can be done in O(A^logA^) bit operations for 
a given subset {gi, . . . , qr} of Pn- Furthermore, #P/v < so this set has 
less than 2^ subsets and checking the inequality ( ITTll for all of them requires 
0(2^ A^ log A^) bit operations. Finally, we start with Qjy equal to the empty 
set and for each subset {gi, . . . , qr} of P/v satisfying the inequality (fTT]l . we 
compute the product ni=i ^^'^ ^d*^ Qn- Computing this product 
requires to perform at most A^ products of integers of bit length less than 
logA^ and since this product never exceeds exp(3v^ATogiV) according to 
Lemma [221 this can be done in O(A^^logA^) bit operations. Performing 
this operation for every set {gi, . . . ,qs} can be done in 0(2^ A^^ log A^) bit 
operations and this is also the numbers of bit operations needed to compute 
Qn- 
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Let us now explain how we check the divisibility relation ^rnj{X)\Gj{X) 
at step (2.c.ii). For this we use a simple algorithm described by Filaseta 
and Schinzel in |FS04l Theorem 3]. It requires the factorization of rrij and is 
based on the equivalence 

$„(X)|G(X) ^ X™ - 1 I G{X) X Y[ (X^/P - 1) , 

p\m 

where the product runs over the prime numbers dividing m. We refer to 
|FS04| for the complete description of this algorithm and its running time. 
In our case, since mj is squarefree, the first step of their algorithm can 
be avoided and the divisibility relation ^rnj{X)\Gj{X) can be checked in 
O (^X3(log;Y)223VA/iogA/(^/^ ^ M(rf))) bit operations. 

Finally we estimate the overall complexity of Algorithm 1. We recall that 
at step (2. a), the polynomials Gj are defined by: 

F,{X)=X'^G,{X^n- 

In order to compute these polynomials, we have to perform N substractions 
of integers of bit length bounded by \og{d), then we have to perform at most 
N gcd computations of integers of bit length bounded by log((i), and finally 
compute N divisions of integers of bit length bounded by log{d) and all of 
these computations require 0(iVM((i) log log((i)) bit operations. 

At step (2b), we have to compute s — 1 gcd of integers of bit length 
bounded by \og{d) to compute e, then we have to perform s Euclidean divi- 
sions of integers of bit length bounded by log{d) to compute the integers e'j. 
So in the whole, this requires 0(A^M((i) loglog((i)) bit operations. 

At step (2c), in order to compute the integers rrij, we perform s divisions 
and s gcd computations of integers of bit length bounded by d and this 
requires again O {N M (d) \og\og{d)) bit operations. In order to check the 
divisibility relations, we apply s times the algorithm of Filaseta and Schinzel 
|FS04l Theorem 3] and this can be done in 

O (^N\logNf2^^^^^{h + M(rf))) 

bit operations. 

Moreover, since there are at most N\ partitions to consider at step (2) by 
Lemma [275] and since there are at most exp (3^/W\ogN) integers to consider 
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at step (2.c) by Lemma 12^61 the total number of bit operations performed by 
the algorithm is: 

0(iV^(M(d) loglog(rf) + /i)) , 
this terminates the proof of Theorem I2.2[ □ 

2.3 A family of polynomials having many «separated» 
cyclotomic factors 

We believe that the output of Algorithm 1 can be exponential in the size of the 
input in the worst case. The following example, which has been elaborated 
with Denis Simon, support this conjecture. When iV = 2n is an even integer, 
we construct polynomials for which the output of the algorithm can not be 
regrouped in less than n! pairs of integers. 

Proposition 2.7 Let n G N and pi, . . . ,Pn\ be n\ prime numbers greater 
than 2n. Then there exists a polynomial f £ having 2n non zero terms 

and satisfying 

1. XP'- - 1|/(X) V 1 < r < n! 

2, XP-Pr' - 1 1 /(X) V 1 < r < r' < n! 

Proof: Let /(X) := ELi " E£„+i^"'- We will compute values of 
ai for which / satisfies the proposition 12.71 We consider all the partitions 
{ Ji, . . . , Jn} of the set {1, . . . , 2n] made by 2-elements sets Ji, . . . , J„ such 
that each Jj contains an element in {l,...,n} and an other one in {n + 
1, . . . , 2n}. For instance, 

{{l,n+l},{2,n + 2},...,{n,2n}} 

is one of these partitions. We remark that there is n\ such partitions. We 
enumerate these partitions as 

TTr := { Jr,i, . . . , Jr,n} Vl<r<n!. 

To each partition tt^ = { Jr,i; • • • ? Jt^u} we associate injectively a prime num- 
ber Pr strictly larger than 2n. According to the Chinese reminder theorem, 
we can choose ctj such that: 

i G Jr,k ^^==^ ai = k — 1 mod pr V 1 < r < n!. 
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By construction, all the are distinct and we have: 

XP^-l\f{X) Vl<r<n!. 

We finally prove the second part of the proposition. Let us suppose, for 
example, that Xp^p^ - 1 divides f{X). We then have %,p^{X)\f{X). Thus 
/(C) = 0, where ( denotes a root of unity of order piP2- Let also 

n 2n 
i=l i=n+l 

be a decomposition of f{() into minimal vanishing sum. Let mj be the 
order of 5*^. Since rnj\piP2, we have rrij G {1,^1,^25^1^2} and rrij satisfies 
\i/(mj) < ^Sj < 2n according to Theorem 12.31 However rrij = 1 since 
^(Pi) = Pi > 2n, \I'(p2) = P2 > 2n and \l/(piP2) = Pi +P2 — 2 > 2n.So each 
Sj is a multiple of a vanishing sum of roots of unity of the shape ±1 ■ ■ -±1 = 0. 
Since Sj is minimal, it must have length 2 and we also have t = n. Thus for 
1 < j < we can rewrite Sj as: 

Sj = - 

with 

1 < ttj <n <hj < 2n and = ab. mod piP2- 

Then 

aj^i = aj^2 mod pi and aj^i = aj^2 mod p2 I < j < n. 

Thus we necessarily have vr^ = tti and Hr = 712. This is a contradiction since 
TTi ^ TTa. Thus, XP^P^ - 1 1 / (X). □ 

Let iV = 2?T, be an even integer and / be the polynomial constructed in 
the proof of Proposition 12.71 It is easy to see that the algorithm 1, when 
applied to /, will output at least n\ pairs of integers. Unfortunately, this 
example do not suffice to prove that the size of the output is not polynomial 
in the input size, because the degree of / is doubly exponential in N. So the 
size of the input is also exponential in A^. On the other hand, it proves that 
for a given number of non zero terms, the output can be exponential in A^. 
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Example 2.8 for = 6. 

Let 

We make the following choices of prime numbers for the n! = 6 partitions: 

{{1,4}, {2,5}, {3,6}} ^7 
{{1,4}, {2,6}, {3,5}} ^11 
{{1,5}, {2,4}, {3,6}} ^13 
{{1,5}, {2,6}, {3,4}} ^17 
{{1,6}, {2,4}, {3,5}} ^19 
{{1,6}, {2,5}, {3,4}} ^23 



and we consider the following system of congruences: 





mod 7 


mod 11 


mod 13 


mod 17 


mod 19 


mod 23 


ai 




















OL2 


1 


1 


1 


1 


1 


1 


"3 


2 


2 


2 


2 


2 


2 


Q!4 








1 


2 


1 


2 


"5 


1 


2 








2 


1 


Q!6 


2 


1 


2 


1 









A solution of this system is: 



«! = 

«2 = 1 

as = 2 

a4 = 6 282199 
as = 2 501941 
ag = 6 088 721 

which gives the polynomial: 

/(a;) = 1 + X + - _ ^6088721 _ ^6282199 

for which the algorithm 1 outputs the set of pairs: 

{(2,2), (1,7), (1,11), (1,13), (1,17), (1,19), (1,23)}. 
and we can not regroup the pairs, according to Proposition I2.7[ 
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Example 2.9 for = 8. 



We can construct the foUowing polynomial 

_ 10649315971896428139150081202897150286932 

' I tij I tVy lA 



f{x) :=1 + X + + — 

10417696267221214855704118228748809801239 



_ ^2747750133111287905524860455880456232062 
_ ^626914938199634951807585972855218426387 



by considering the 24 prime numbers between 11 and 107. For this polyno- 
mial, Algorithm 1 outputs the set of pairs: 

{(1,13), (1,17), (1,19), (1,22), (1,23), (1,31), (1,37), (1,41), (1,43), 
(1,47), (1,53), (1,58), (1,59), (1,61), (1,71), (1,79), (1,83), (1,89), 
(1,97), (1,101), (1,103), (1,107), (1,134), (1,146)} 



which corresponds to 29 distinct cyclotomic factors and by Proposition I2.7[ 
these can not be regrouped in less than 24 pairs, as above. 



3 Torsion cosets of a hypersurface 

We want to compute a representation of the torsion points lying in a hyper- 
surface defined by a polynomial with integer coefficients. In this section, we 
prove Theorem 11.11 in the case where is a hypersurface and describe the 
algorithm underlying this theorem in Subsection 13. 2[ 



3.1 Preliminary results 

First, we will need the following extension of Theorem [231 to the multivariate 
case. 

Corollary 3.1 Let ( G /i^ be a point of order m and F{X_) = '^f^i aiX_— G 
Z[Xf^, . . . , X^^] be a Laurent polynomial. If 

1- F{Q = 0, 

2. no proper subsum of F{C) vanishes, 
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N 

3. Z(ai -aj) = Z", 

^<i,j<N' 

then m is squarefree and '^{m) < N. 



Proof: We just have to prove that S := ^j^^ caC— — satisfies the three 
conditions of Theorem I2.3[ The first two conditions are satisfied since F{() 
is a minimal vanishing sum by hypothesis. Let M := 1cm (ord(C-"— )). It 

remains to check the last condition, i.e. to check if M = m. Since the divisi- 
bility M\m is clear, we only have to prove the reverse divisibility condition. 
In the following, we set ( = {C^, . . . ,Cm")? where Cm is a root of unity of 
order m. Let us first remark that for all 61, . . . , G Z, we have: 

ord (^C^-i^'(^^-^^i)) M. 

AT 

Moreover, since "^^Z^ai — ai) = Z", there exists bi, . . . ,bj\f E Z such that 
1=1 

N 

= (1,0,..., 0). Thus, 
ord (C^^) = ord 



i=l 



M 

and similarly 

ord (C*) |M pour 2<i<N. 

Finally we have 

^ = ^lcm^(ord (C^)) \M. 
and the last condition of Theorem 12.31 is satisfied. □ 



We will also need to be able to compute a basis of a subgroup of Z" from 
a generating family of vectors. Let Pi, . . . , Pr G Z" be vectors generating a 
subgroup R of Z"^ of rank k < r and M the matrix of size r x n whose rows 
are the vectors Pi, . . . , Pr- We can compute from M a matrix H of size kxn, 
which is upper triangular, whose rows consist of a basis of R. The matrix 
H is called the Hermite normal form of M and can be computed with the 
following lemma: 
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Lemma 3.2 Let n, d, k be integers, M a matrix of size k x n with integer 
coefficients bounded by d in absolute value. Then we can compute H , the 
Hermite normal form of M, in O {k^n^M{d)\og\og{d)) bit operations. 

In |LS96| . the authors give a proof of this result with a better complexity but 
this one will suffice for our need. We refer to |GG03| for more details about 
the Hermite normal form of an integral matrix. 

3.2 Proof of Theorem 11.11 for a hypersurface 

Let F{X) = OiX^ e Z[Xi, . . . , X„], and C e /i^ such that 

F{Q = 0. (12) 

As we have done in the proof of Theorem 12.21 we will find some conditions 
equivalent to (fT2l) that we could test algorithmically. 

Let { Ji, . . . , Js} be a partition of {1, ... , A^} such that: 

J2a^C^ = Wl<j<s 

and such that every of these sums is minimal. We set Nj := and, for 

1 < J < 

Thus we have F{X_) = J2^j=iFji^)- Then we renumber the coefficients and 
the exponents of Fj in the following manner: 

1=1 

Let, for 1 < j < s: 

i=l 

be the subgroup of spanned by the differences of exponents of Fj. We 
denote by kj the rank of this group and by Xj^i, . . . , Xj^kj a basis of Rj. Then 
we can find a Laurent polynomial Gj in kj variables such that: 

Fj (X) = Xp^Gj (X^, . . . , X^) . (13) 
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We set for 1 < / < k^, 
We have 

Gj{uj^i, ujj^k,) = 0, for 1 < J < s. (14) 

The Laurent polynomial Gj and the point i, . . . .ooj^kj) of /i^ satisfy the 
conditions of Corollary 13. 1[ If rrij denotes the order of (cuj^i, . . . , ooj^kj) in /x^, 
we conclude that rrij is squarefree and '^{rrij) < Nj. Now let R := J2^j=i^j 
and Ai,...,Afe be a basis of R. For 1 < t < k, we set cut := C~ ^ind 
m' := ord(ci;i, . . . , lj^). By construction, we have: 

m'|lcm(mi, . . . , m^). 

As in the proof of Theorem 12.21 the integer m' is squarefree and satisfies 
^(m') < A^-2(s- 1). 

If the equalities (fT4l) are satisfied for 1 < j < s, we have F{() = for all ( 
satisfying: 

uJt = C- for 1 < t < k. 

Thus we have 

F(C)=0 yCeBiL,iuj,,...,cOk)), 

where L denotes the matrix of size kxn whose rows are the vectors Ai , . . . , . 
We recall that B{L, {ui, . . . , Uk)) was defined in ([3]) as 

B{L, {ui,...,Uk)) = {xeG'^\x^ = {uJi,...,Uk)} . 

Let us summarize what we just proved. If F{() = for some ( E fi^, 
then there exist L G M„ fe(Z) and u G /i^, where k < n, such that 

C G B{L,ui) and B{L,uj_) C V{F). 

Furthermore, the matrix L corresponds to a partition of the support of F 
and can be computed from it. On the other hand 

ui G Qk,N = {C e /iL : ^(ord(C)) < N} , 

which has cardinality bounded by exp(3(/c + l)y/N log N) by Lemma \2M 
Thus the algorithm will test the equalities (fT4l l for all possible partitions of 
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the support of F and for all possible choices of points in Qn,N- We can do it 
as follows: 

Algorithm 2 

Input: A polynomial -F(X) = X^ili given by its lacunary encoding. 

Output: A list Sp of torsion cosets satisfying Theorem ll.li 

1. 5f^0. 

2. For each partition { Ji, . . . , Js} of {1, ... , N} such that > 2 for all 
1 < j < s, do: 

(a) Compute for 1 < j < s, the Laurent polynomials Gj and the 
vectors Aj^i, . . . , Xj^kj as in (fT3l) . 

(b) Compute a basis Ai, . . . , of and compute, for 1 < j < s and 
for 1 < /i < kj the integers 6j^h,t such that Xj^h = J2t=i ^jAt^l- 

(c) For each squarefree integer m' such that \E'(m') < N — 2{s — 1) 
and for each (tui, . . . , cj^) G /i^ of order m' do: 

i. Compute for 1 < j < s and for 1 < /i < kj, uj^h '■= Y[t=i f^t^ ' 
and set mj := ord(co'j,i, . . . , ^^j,kj)- 

ii. If for all 1 < j < s, we have Gj{uj^i, . . . ,ujj^k ) = 0, then do 
Sp Sp l-i {{L, {ui, . . . , ujk))}, where L is the matrix of size 
k X n whose rows are the vectors Ai , . . . , A^. 

3. Output Sp and terminate. 

The discussion above the description of Algorithm 2 guarantee its cor- 
rectness and it only remains to evaluate its running time. 

At step (2. a) we first have to compute, for 1 < j < s, the differences 
aj^i — aj^i. This requires 0{Nn\og{d)) bit operations. Then we have to 
compute a basis (Aj i, . . . , Aj of the subgroup Rj of Z". This can be done 
by computing the Hermite normal form of the matrix whose rows consist of 
the vectors aj^j— i. This requires 0{N'^n^M{d) loglog((i)) bit operations by 
Lemma [X2l In order to compute the Laurent polynomials Gj, we then have to 
compute the coordinates of the vectors Uj^i — in the basis (Aj^i, . . . , Xj^kj)- 
Thus we have to invert a linear system of size nxn with coefficients bounded 
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by 2d. This can be done in 0{n'^M{d) loglog((i)) bit operations. Finally, we 
can bound the total number of bit operations performed at this step by 



O {N^n^M{d) loglog(d)) . 

At step (2.b), we compute the Hermite normal form of the matrix whose 
rows are the vectors Xj^h, where 1 < j < s and 1 < h < kj. We obtain a basis 
(Ai , . . . , Afe) of R. Finally we compute the coordinates of the vectors Xj^h in 
this basis. This step again requires 

O {N^n^M{d) loglog(rf)) 

bit operations. 

At step (2.c), each number ojt is represented by the pair of integers (p(, m') 
such that 

ujt = exp 

y m 

At step (2.c.i), each number ujj^h is represented by the pair of integers 

/ k 

{dj^h,m') := I ^5j,/i,tPi mod 

such that 



m' , m' 



.t=i 



Uj^h = exp 

This computation requires 



2idj /iTT 



m 



O [nM{d)M (exp (sViVbgiV) )) = O {nN'^M{d)) 



bit operations, since m! < exp (3 a/ log A^) according to Lemma 12^61 Then 
we can compute for 1 < j < s, the integer 



rrij := 1cm . , , . 



m 



These computations require OinN"^) bit operations. Finally this step requires 

0{nN^M{d)) 
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bit operations. 

At step (2.c.ii), we have to test, for 1 < j < s the equatlity 

Gj{ujj^i, . . .,ujj,kj) = 0. 
This is equivalent to test, for 1 < j < s the divisibility condition 

which can be checked by the method used in the step (2.c.ii) of Algorithm 1 
in 

O (^N\logNY2'^^^^^^{h + M{d))^ 

bit operations. 

Moreover, since there are at most A^! partitions to consider at step (2) 
according to Lemma [2751 and since there are at most exp (3(n + l)\JN\og N) 
torsion points to consider at step (2.c) by Lemma 12^61 the total number of 
bit operations performed by the algorithm is: 

O {N''^{M{d) loglog(rf) + h)) . 

This terminates the proof of Theorem 11.11 in the case of a hypersurface. 

4 Computing the torsion cosets of a variety 

The aim of this section is to prove Theorem II. 1[ In the following, we fix 
Fi, . . . ,Fk G Z[Xi, . . . , Xn] and we would like to compute a representation of 
the torsion cosets included in the variety: 

V := {xe Gl, : F^{x) = . . . = Fk{x)} . 

We will explain how we can modify Algorithm 2 of the last section to treat 
the case of several polynomials. We remark that the same modifications can 
be applied to Algorithm 1 to compute the common cyclotomic factors of 
several univariate polynomials. 

Let ( E V n and Ni be the number of non zero terms in Fi, for 
1 < i < k and let also A^ := max(A'i, . . . , A^^). For each integer i between 
1 and k, we can reduce the equality -Fj(C) = to minimal sums as we have 
done in previous sections, by considering a partition of the set {1, . . . , A'j}. 
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Once performed this step for every integer i, we are reduced to step ^ of 
Algorithm 2 and all other steps of Algorithm 2 can be kept. 
The number of partitions to consider can be bounded now by 

Nilx ■■■X Nk\< (iV!)^ 

The number of torsion points which appear at step (2.c) can be bound now 

by 

exp (3{n + l)^/kNhgkN^ . 
Finally, the total number of bit operations executed by the algorithm is: 

O (A^"'^^ {M{d) loglog(d) + h)) . 

This concludes the proof of Theorem ll.li □ 

5 An upper bound for the number of torsion 
cosets 

We prove Corollary 11.21 Let V" be a variety defined by k polynomials, each 
having at most A^ non zero terms. Our algorithm outputs a representation of 
Vtors as the union of torsion cosets. We remark that at most one torsion coset 
is output in every loop performed by Algorithm 2. Thus the total number t 
of torsion cosets included in V is bounded by the number of loops performed 
by the algorithm. Every loop corresponds to a partition of these polynomials 
and to a choice of a point in /xj^ of squarefree order m satisfying \E'(m) < A^. 
As we have seen before, there are at most (A^!)^ partitions and the number 
of points in /i^ to consider is bounded by exp (3{n + l)v^fcATogfciV) . Thus 

t < {N\)''exp (3{n + 1) ^/kN log kN^ , 
which is the desired upper bound. □ 
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